At least on UN*X systems you can run PHP perfectly as SSI - just do a SSI include

<!--#include virtual="phpscript.cgi" -->

where phpscript.cgi is a script which first line points to your PHP executable:

#!/usr/bin/php

which could also be c:\progra~\php\php.exe (I think).

Or did I completely misunderstand you?

Also the X-Powered-By can be switched off. Either by 

  /usr/bin/php -q

which omits all HTTP-headers (such as Content-type and X-Powered-By) or by configuration directive:

  expose_php = On  ; Decides whether PHP may expose the fact that it is installed
      ; server (e.g., by adding its signature to the Web server header).
      ; It is no security threat in any way, but it makes it possible
      ; to determine whether you use PHP on your server or not.


Kind Regards,
  Daniel Lorch

Adding -q is sufficient.  No PHP changes needed here.

You kind of understood ....

I was aware of the expose setting in the ini file, but it would be nice to be able to modify this at runtime.

How can you run that -q command from within a windows environment like IIS?

"php.exe -q" doesn't work on Windows?

Under IIS you specify what script engine runs your php file.  Basically says that all files with extension .php are run by c:/php/php.exe or whatever the executable is.

You COULD put the -q in there, but that would apply for all users.  Can you specify -q at runtime so that my ISP (or any ISP for that matter) doesn't have to set explicit settings for this?  That way it gets left up to the programmer HOW they want their php scripts run.

Forcing -q on all users would mean that everyone of the ISP's clients would have to output all the headers just to get their scripts running.

But this a completely intended behaviour. On UN*X you have to provide the -q as well in _every script_ which should be used as output called from a SSI directive.

Where do you have to make this setting? Globally for all PHP scripts? Or can it be done in every script. I don't know IIS, sorry.

Kind Regards,
  Daniel Lorch

Under IIS, you do not have to supply the path to the executable in every script.  That's the nature of windows.  It works via file extension association.

My solution is to create a function called set_expose("off") or whatever fits in with the php naming conventions so that this can be set at runtime from within the script.  Thus forcing php to not send out any headers by itself.

Well, on UN*X, too you don't have to supply the path to PHP.

But as you are implying, a script is either called "normally" OR from a SSI include. So every script which is called by SSI could have a "php -q" at the beginning, right? Your set_expose would therefore be redundant (unless -q is not possible from within IIS).

Is it possible, or not, to run a PHP-script with -q on IIS?

Kind Regards,
  Daniel Lorch

alternatively, why not have your isp make a new filtered extension, like .pssi or something, which has the executable set as php.exe -q ?

Ok, I've run some tests on my server and I can setup another filtered extension.  I guess this is one way to run it.  Seeing as this was a feature request, I thought it might be useful to be able to control this setting programatically.

If this isn't going to be added to the list of things to add, then please put this in some kind of configuration documentation somewhere. This question comes up a lot more than obviously you guys are aware of.

Nope.